Applicant : Robert Bruce Hirsh Attorney's Docket No.: 06975-200001 / Security 13 

Serial No. : 09/894,919 

Filed : June 29, 2001 

Page : 14 of 18 



REMARKS 

In response to the non-final office action of July 26, 2006, applicant asks that all claims 
be allowed in view of the following remarks. Claims 67-80 and 96-143 are currently pending, 
with claims 67, 105, and 126 being independent. Claims 67, 72, and 73 have been amended; 
claims 20, 21, 24-28, 30-39, 55-66 and 81-95 have been canceled; and claims 96-143 have been 
added. In particular, Applicant has amended independent claim 67 to recite "establishing an 
authenticated connection between a client and an intermediary." Applicant submits that this 
limitation does not change the scope of the prior version of claim 67 and was included merely to 
provide explicit antecedent basis for the limitation of "the authenticated connection between the 
client and the intermediary" included in the last limitation. Additionally, Applicant has amended 
claim 67 to recite "receiving, from the intermediary, constrained authorization information that 
has been electronically negotiated by the secured service and the intermediary, the constrained 
authorization information being electronically negotiated in response to the client request." 
Support for the amendments and the new claims can be found in the application at, for example, 
page 10, line 26 through page 11, line 30 referring to Figs. 6 and 7. No new matter has been 
introduced. 

S 112 Rejection 

Claim 72 was rejected under 35 U.S.C. § 112, second paragraph, as being indefinite. In 
response, claim 72 has been amended. The amendment is believed to address all of the 
Examiner's concerns. Applicant respectfully requests reconsideration and withdrawal of the 
rejection. 

Loucks Rejection 

Independent claim 67, along with its dependent claims 68-80, have been rejected under 
35 U.S.C. § 103(a) as being unpatentable over U.S. Patent No. 5,481,720 (Loucks). Applicant 
requests reconsideration and withdrawal of the rejection because claims 20, 21, 24-28, 30-39, 55- 
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66 and 81-95 have been canceled and Loucks does not describe or suggest all of the limitations 
recited in amended independent claim 67, as described more fully below. 

As amended, independent claim 67 recites a method, performed by a client, of leveraging 
a connection with an intermediary to access a secured service. An authenticated connection 
between a client and an intermediary is established and the client receives a user request for 
access to a secured service. The client submits a request, which is based on the user request for 
access to a secured service, to the intermediary that is physically distinct of the secured service. 
The client receives, from the intermediary, constrained authorization information that has been 
electronically negotiated by the secured service and the intermediary, the constrained 
authorization information being electronically negotiated in response to the client request. The 
client submits the constrained authorization information to the secured service to establish a 
direct authenticated connection between the client and the secured service independent of the 
authenticated connection between the client and the intermediary. 

Loucks does not describe or suggest receiving, from the intermediary, constrained 
authorization information that has been electronically negotiated by the secured service and the 
intermediary, the constrained authorization information being electronically negotiated in 
response to the client request, as recited by claim 67. 

Rather, Loucks relates to a flexible method of authenticating an initiating node to a 
receiving service node in a distributed data processing environment that utilizes separate 
authentication agent programs at each of the nodes to assist in authentication. See Loucks at col. 
6, line 53 through col. 7, line 19. In particular, as shown in Fig. 5, when a requestor process 504 
running on an initiating node wishes to establish an authenticated connection with a service 
process 514 running on a receiving service node, the requestor process 504 sends a message 520 
identifying the process making the request and the requested service to a requestor authentication 
agent program 502 running on the initiating node. See Loucks at col. 8, lines 44-65. The 
requestor authentication agent program 502 determines authentication information for the 
requestor process 504 based on the message 520 and sends the authentication information to the 
requestor process 504 in a reply message 521. See Loucks at col. 8, line 66 through col. 9, line 
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9. The requestor process 504 then sends the authentication information included in the reply 
message 521 to the service process 514, so that the service process 514 can send the 
authentication information to a service authentication agent 512 running on the receiving service 
node to process the authentication information. See Loucks at col. 9, lines 9-31. Notably, 
Loucks does not describe or suggest that the authentication information received by the requestor 
process 504 from the requestor authentication agent program 502 was previously electronically 
negotiated between an intermediary and the service process 514. Nor does Loucks describe or 
suggest that this authentication information was electronically negotiated by an intermediary and 
the service process 514 in response to the message 520. Rather, Loucks describes the 
authentication information being generated by the requestor authentication agent program 502 
without any electronic communication whatsoever between an intermediary and the service 
process 514. Thus, Loucks fails to describe or suggest receiving, from the intermediary, 
constrained authorization information that has been electronically negotiated by the secured 
service and the intermediary, the constrained authorization information being electronically 
negotiated in response to the client request, as recited by claim 67. 

More specifically, in one implementation, Loucks describes that the requestor 
authentication agent program 502 may communicate with a Kerberos ticket granting service to 
acquire a ticket to be used as the authentication information for the requestor process 504. See 
Loucks at col. 11, lines 55-65. In response to the request, the Kerberos ticket granting service 
generates a ticket without communicating with the service process 514 or with any other entity 
and sends the ticket to the requestor authentication agent program 502. See Loucks at col. 1 1, 
line 66 through col. 12, line 10 and col. 4, line 62 through col. 5, line 30. 1 Because the Kerberos 
service generates a ticket without communicating with the service process 514 or with any other 
entity, the requestor authentication agent program 502 does not receive constrained authorization 
information from the Kerberos service that has been electronically negotiated between the 
Kerberos service and a secured service. As such, Loucks fails to describe or suggest receiving, 

1 Specifically, Loucks describes that "[ajnother distinctive feature of the Kerberos authentication scheme is that 
while the user must go to the authentication server to request tickets, the service to which these tickets are being 
presented does not need to communicate with the Kerberos authentication service during user authentication." 
Loucks at col. 5, lines 24-30. 
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from the intermediary, constrained authorization information that has been electronically 
negotiated by the secured service and the intermediary, the constrained authorization information 
being electronically negotiated in response to the client request, as recited by claim 67. 

Therefore, for at least these reasons, applicant requests reconsideration and withdrawal of 
the rejection of claim 67 and its dependent claims 68-80. 

Applicant also notes that the Examiner responded to points raised in the Appeal Brief 
filed May 12, 2006 on page 3 of the Office Action. Applicant traverses the statements made by 
Examiner for at least the reasons presented in the Appeal Brief filed May 12, 2006. 
Nevertheless, Applicant submits that neither Cohen, Stevens, Menezes, Sadovsky, nor any 
proper combination thereof, describes or suggests receiving, from the intermediary, constrained 
authorization information that has been electronically negotiated by the secured service and the 
intermediary, the constrained authorization information being electronically negotiated in 
response to the client request, as recited by amended independent claim 67. 

In addition, Applicant notes the Examiner's assertion that the Examiner's use of official 
with regards to the claimed limitations found in claims 35-37, 55, 56, 66, 73, 79-81, 84, 87-90, 
and 95 has not been adequately traversed. To the contrary, Applicant submits that the 
Examiner's use of official notice with regard to claims 35-37, 55, 56, 66, 73, 79-81, 84, 87-90, 
and 95 was properly traversed in the response to office action filed on August 2, 2005. 
Therefore, Applicant submits that it is not proper for the Examiner to consider the official notice 
taken with regard to claims 35-37, 55, 56, 66, 73, 79-81, 84, 87-90, and 95 as admitted prior art. 

New independent claim 105 recites electronically negotiating constrained authorization 
information with the secured service in response to receiving the client request, and new 
independent claim 126 recites electronically negotiating constrained authorization information 
with the intermediary in response to receiving the notification. Accordingly, for the reasons 
discussed above with respect to claim 67, applicant submits that claims 105 and 126, along with 
their dependent claims 106-125 and 127-143 are in condition for allowance. 
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Conclusion 



Applicant submits that all claims are in condition for allowance. 

It is believed that all of the pending issues have been addressed. However, the absence of 
a reply to a specific rejection, issue or comment does not signify agreement with or concession 
of that rejection, issue or comment. In addition, because the arguments made above may not be 
exhaustive, there may be reasons for patentability of any or all pending claims (or other claims) 
that have not been expressed. Finally, nothing in this reply should be construed as an intent to 
concede any issue with regard to any claim, except as specifically stated in this reply, and the 
amendment of any claim does not necessarily signify concession of unpatentability of the claim 
prior to its amendment. 

Pursuant to 37 CFR §1.136, Applicant hereby petitions that the period for response to the 
action dated July 26, 2006, be extended for one month to and including November 26, 2006. 
November 26, 2006 is a Sunday. 

Please charge the fee in the amount of $320.00 in payment of the one month extension of 
time fee ($120) and excess claims fee ($200) to the deposit account 06-1050. Please apply any 
other charges or credits to deposit account 06-1050. 
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